The Windows Server group is your premier resource for objective technical discussion and peer-to-peer support on the Microsoft Windows Server family of products including Windows Server 2003, IIS Server, ISA Server, and SMS Server.

Win 2k3 webserver configuration

I have win2k3 server as domain controller with IIS installed.It has private IP of 192.168.1.2. our public IP is configured on firewall. Now to make it webserver, should I need a separate public IP to be configured on server.

Popular White Paper On This Topic

The short answer is no. You should be able to route your public IP on your
firewall to the web server (all firewalls allow port forwarding/routing to
be configured).

The long is is this:

I would not recommend setting your AD server as a public web server. The
reason is simple: If the web server gets compromised, it exposes your entire
AD structure to the possibility of a hack.

It would be better to have another server configured as the web server,
potentially in a DMZ (most enterprise class firewalls allow for a DMZ that
is exposed publicly, but completely separate from the internal network) -
if the firewall does not allow it, look at your router and see if it does.
If your router is managed via outsource (external management team), have
them look into it.

If you don't have the budget for new hardware, you can always virtualize the
web server on the AD server (still have concerns about that) and potentially
limit the possibility of someone corrupting your AD server if the web server
becomes compromised.

The bottom line here is that you should never expose your domain server (AD)
to external forces - it should remain behind the NAT to better insure
protection.

If you must do it this way, please make sure that you have the following in
place:

4. Install and maintain a good Anti-Malware software (McAfee, Symantec,
Panda, etc.) - only one is needed. You should also keep Malwarebytes
Anti-Malware in place. This is simply to back up the Anti-Malware package -
no AM software is 100%, but with another layer, you can be certain that you
are very close to 100% protected.

5. Configure your firewall to protect against any unwanted inbound or
outbound traffic

6. Establish a daily maintenence window to monitor the web server and the AD
server. This is necessary to ensure you can catch an 'glitches' before they
become bogger. With the sophistication of the hackers hese days, you really
have to babysit your servers to protect them from harm - even with the AM
software and other security layerrs in place. You can go another direction
and have some heavy duty monitoring software that will alert you as soon as
an anomoly is detected and the software is unable to recover from it.

7. You should not need another public IP, but it may be a good idea to have
one. This is so you can determine where any bad traffic is coming from.
Shortens the troubleshooting time and let's you know if the server is the
culprit or that it is coming from elsewhere (if the firewall IP is being
monitored and shows up in your report, you can start looking at those logs
instead).

In case you are womdering, yes I am in the IT security field and I am a
cynic as well. :)

The simplest method is to just create a port-forwarding rule on your firewall for port 80 on the public side to 192.168.1.2 on the inside, or 443 if using SSL. You shouldn't actually use a domain controller as a web server, because if someone hacks the website they now have access to all of your user accounts - a member server on the domain is better, or a stand-alone server in a DMZ is best. If this is for a few users and not your company's public website, you might consider changing the public port to something other than 80 (like 20080) to make it a less obvious target (your firewall rule would now have to be redirecting/translating 20080 on the outside to port to 80 on the server, unless you also setup the server to listen on 20080).

Copyright 1998-2015 Ziff Davis, LLC (Toolbox.com). All rights reserved. All product names are trademarks of their respective companies. Toolbox.com is not
affiliated with or endorsed by any company listed at this site.